如何在 Axiomatics 中编写“If..then”条件
[英]How can I write a "If..then" condition in Axiomatics
问题描述
The decisioning is to permit if the user has required roles.
如果用户具有所需的角色,则决定是允许。 The required roles and the user's current permissions are in JSON format.所需的角色和用户的当前权限采用 JSON 格式。
Required permissions: (Saved as a attribute)所需权限:(另存为属性)
{
"data": {
"service1": {
"service1.1": true
},
"service2": {
"service2.1: false,
"service2.2": true,
"service2.3": false
}
}
}
User's current permissions:用户当前权限:
{
"data": {
"service1": {
"service1.1": true
},
"service2": {
"service2.1: false,
"service2.2": false,
"service2.3": true
}
}
}
To make the decision, we need to check if the user has the services as true similar to required Permissions.为了做出决定,我们需要检查用户是否拥有与所需权限类似的真实服务。 In the above example, the user has data.service1.service1.1 as true and data.service2.service2.3 as true where the required roles being data.service1.service1.1 as true and data.service2.service2.2 as true, in this case we deny.在上面的示例中,用户的 data.service1.service1.1 为真,data.service2.service2.3 为真,其中所需角色为 data.service1.service1.1 为真,data.service2.service2.2 为真是的,在这种情况下我们否认。
I wrote separate rules to check for each and every service, but that would only be a check of combination of services.我编写了单独的规则来检查每项服务,但这只是服务组合的检查。
rule service1.1{
permit
condition
(allOf(function[booleanEqual], true, requiredRoles.data.service1.service1.1))
&&
(allOf(function[booleanEqual], true, requiredRoles.data.service1.service1.1))
on permit {
advice reasonForPermit{
reasonAttribute= "Contains Valid services"
}
}
}
Would someone please help on how to write a if.. then check in alfa?有人可以帮忙写一个 if.. then check in alfa 吗?
2 个解决方案
解决方案1
4 2020-08-04 12:54:04
There is no if..then construct in ALFA (or XACML).在 ALFA(或 XACML)中没有if..then构造。 You use combining algorithms instead.您改为使用组合算法。 In particular, onPermitApplySecond is the policy combining algorithm that resembles an if..then construct the most.特别是, onPermitApplySecond是最类似于if..then构造的策略组合算法。
However, there is usually a simpler way to express what you want if you can make reasonably assumptions on your attribute data.但是,如果您可以对属性数据做出合理的假设,通常会有一种更简单的方式来表达您的需求。 In your example, for instance, if it's always guaranteed that both the required and current permissions contain exactly one boolean value for each available service, then you could write:例如,在您的示例中,如果始终保证所需权限和当前权限都恰好包含每个可用服务的一个 boolean 值,那么您可以这样写:
rule {
target
clause requiredRoles_service1_1 == false or permitted_service1_1 == true
clause requiredRoles_service2_1 == false or permitted_service2_1 == true
...
permit
}
Remember that in a target, clauses are AND'ed together.请记住,在目标中,子句是通过 AND 连接在一起的。 This rule then checks that, for every service, the role is either not required or is given in the current permissions.然后,此规则会检查对于每项服务,该角色是不需要的还是已在当前权限中提供。
If instead it may happen than any of those attributes is not present (ie there are no values for the attribute), then you have to guard against that case.相反,如果它可能发生而不是那些属性中的任何一个不存在(即属性没有值),那么您必须防范这种情况。 You can do that using a condition like the following one, but there are other ways too:您可以使用类似下面的条件来做到这一点,但也有其他方法:
rule {
permit
condition
(not(booleanIsIn(true, requiredRoles_service1_1)) || booleanIsIn(true, permitted_service1_1))
&&
(not(booleanIsIn(true, requiredRoles_service2_1)) || booleanIsIn(true, permitted_service2_1))
&&
...
}
All in all, there are usually simpler ways to express a policy if you can massage attribute data into other forms. Having a pair of attributes per service, like in the examples above, may not be necessary.总而言之,如果您可以将属性数据传送到其他 forms,通常会有更简单的方法来表达策略。可能没有必要像上面的示例那样为每个服务提供一对属性。
If you could gather all required roles and current permissions in one attribute each, then the policy can be expressed much more compactly.如果您可以将所有必需的角色和当前权限分别收集在一个属性中,那么可以更紧凑地表达策略。 Let's say you have two attributes, requiredRoles and permittedRoles whose values list the service roles required and permitted for a given user, respectively.假设您有两个属性, requiredRoles和permittedRoles ,其值分别列出给定用户所需和允许的服务角色。 In your example, this would mean that requiredRoles has value, say, ["service1.1", "service2.2"] and permittedRoles has value ["service1.1", "service2.3"] .在您的示例中,这意味着requiredRoles具有值,例如["service1.1", "service2.2"]并且permittedRoles具有值["service1.1", "service2.3"] 。 Then you can write a rule like this:然后你可以这样写一个规则:
rule {
permit
condition stringSubSet(requiredRoles, permittedRoles)
}
解决方案2
0 2020-08-06 10:03:43
I was able to do this by creating separate attributes for each service and wrote a rule with the target clause with the service from required roles and the condition will be if the service in the permitted role is true.我能够通过为每个服务创建单独的属性并编写一个带有目标子句的规则来实现这一点,该规则包含来自所需角色的服务,条件是允许角色中的服务是否为真。 I combined all the rules as below in the policy using permitunlessDeny algorithm我使用 permitunlessDeny 算法将以下所有规则组合在策略中
rule rule1 {
target clause requiredRoles.service1_1 == true
deny
condition
not(permittedRoles.service1_1 == true)
on permit {
advice reasonForPermit {
reasonAttribute= "User has valid services"
}
}
}
Thank you for the suggestion Pablo.谢谢巴勃罗的建议。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.